This note examines the range of distinct adtech data processing purposes that will require opt-in under the GDPR.[1]
In late 2017 the Article 29 Working Party cautioned that “data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes”.[2] Consent requests for multiple purposes should “allow users to give specific consent for specific purposes”.[3] Rather than conflate several purposes for processing, Europe’s regulators caution that “the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose”.[4] This draws upon GDPR, Recital 32.[5]
In short, consent requests must be granular, showing opt-ins for each distinct purpose.
How granular must consent opt-ins be?…

PageFair believes that the GDPR will be strictly enforced. This means all unique identifiers (such as user IDs) and IP addresses will be regarded as personal data under the Regulation, and therefore must not be used in a way that would distribute them in the programmatic advertising system without consent.[1] This is why we launched Perimeter, to protect publishers from risk under the GDPR.
When publishers install PageFair Perimeter on their sites or in their apps, Perimeter will block adtech that uses unique identifiers without consent. Adtech services that do not use personal data where consent is absent will be whitelisted.
Criteria for whitelisting in on sites/apps protected by Perimeter (where required consent is absent)
No use of unique IDs
No storage of IP addresses or user agent details
Adtech vendors can perform necessary campaign measurement, attribution, and frequency capping using non-personal data methods as we have outlined here.…

This note examines whether websites can use “tracking walls” under the GDPR, and challenges the recent guidance on this issue from IAB Europe.
This week, IAB Europe published a paper that advises website owners that tracking walls (i.e., modal dialogs that require people to give consent to be tracked in order to access a website) will be permissible under the GDPR. Our view is different.
Several months ago we provided feedback to the IAB of what we regarded as serious mistakes in a preliminary draft of this paper, which we believe will be very detrimental to publishers who follow the paper’s advice. As it appears that our feedback did not make it into the published version of the paper, we want to put our opinion on the record, so that publishers can take it in to account when deciding what course to follow under the GDPR.…

In this podcast, the International Association of Privacy Professionals interviews PageFair’s Dr Johnny Ryan about the challenges and opportunities of new European privacy rules for website operators and brands. Update: 3 January 2018: This podcast was the International Association of Privacy Professionals’ most listened to podcast of 2017.
The conversation begins at 4m 14s, and covers the following issues.
Risks for website operators
How “consent” is an opportunity for publishers to take the upper hand in online media
Brands’ exposure to legal risk, and the agency / brand / insurer conundrum
Personal data leakage in RTB / programmatic adtech
How the adtech industry should adapt
As we told Wired some months ago, it’s not just that websites might expose yourself to litigation, it’s that you might expose your advertisers to litigation too.…

This note describes how ad campaigns can be measured and frequency capped without the use of personal data to comply with the GDPR.
It is likely that most people will not give consent for their personal data to be used for ad targeting purposes by third parties (only a small minority [1] of people online are expected to consent to third party tracking for online advertising). Even so, sophisticated measurement and frequency capping are possible for this audience.
This note briefly outlines how to conduct essential measurement (frequency capping, impression counting, click counting, conversion counting, view through measurement, and viewability measurement) in compliance with the EU’s General Data Protection Regulation. This means that publishers and advertisers can continue to measure the delivery of the ads that sustain their businesses, while simultaneously respecting European citizens’ right to protection of their personal data.…

Four successive quarterly reports show the year-over-year revenue growth that Facebook attributes to showing ads that adblock companies are unable to hack.
While many websites prevaricated, Facebook figured out how to turn its adblocking problem in to a $709 million revenue stream by serving ads that were immune to adblock.
Both online giants, Google and Facebook, have concluded that showing ads to adblock users is the right way to tackle adblocking.
In mid Q3 2016 Facebook implemented tamper-proof ad serving that adblock companies can not hack. Eyeo, which owns Adblock Plus, has attempted at various times to introduce hacks to break this system, with partial results for brief periods. Nonetheless, Facebook’s quarterly earnings figures reveal that it has netted nearly three quarters of a billion dollars as a result.…

Websites and advertisers can not prevent personal data from leaking in programmatic advertising. If not fixed, this will render consent to use personal data meaningless.
The GDPR applies the principle of transparency:[1] People must be able to easily learn who has their personal data, and what they are doing with it.
Equally importantly, people must have surety that no other parties receive these data.
It follows that consent is meaningless without enforcement of data protection: unless a website prevents all data leakage, a visitor who gives consent cannot know where their data may end up.
But the online advertising system leaks data in two ways. This exposes brands, agencies, websites, and adtech companies to legal risk.
How data leakage happens
If “programmatic”advertising or “real time bidding” was ever a mystery to you, take 43 seconds to watch this PageFair video.…

This note presents the results of a survey of 300+ publishers, adtech, brands, and various others, on whether users will consent to tracking under the GDPR and the ePrivacy Regulation.
In early August we published a note on consent, and asked whether people would click “yes”. We would like to thank the 300+ colleagues who responded to our research request. Now we present the results.
UPDATE: 9 January 2018, SEE MOST RECENT PAGEFAIR INSIDER NOTE ON GDPR CONSENT DIALOGUES from 8 January 2018.
Tracking for a single brand, on a single site.
305 respondents were asked by a publisher to permit a named brand and its analytics partners to track them on the site. A previous note explains the design of this notice.…

Google and Facebook will be disrupted by the new European data protection rules that are due to apply in May 2018. This note explains how.
Google and Facebook will be unable to use the personal data they hold for advertising purposes without user permission. This is an acute challenge because, contrary to what some commentators have assumed, they cannot use a “service-wide” opt-in for everything. Nor can they deny access to their services to users who refuse to opt-in to tracking.[1] Some parts of their businesses are likely to be disrupted more than others.
The GDPR Scale
When one uses Google or Facebook.com one willingly discloses personal data. These businesses have the right to process these data to provide their services when one asks them to. …